ADFS Certificates Test

In Active Directory Federation Services (AD FS) farm, various certificates are used to provide secure communication and facilitate user authentications between Internet clients and federation servers. Each federation server must have a service communication certificate and a token-signing certificate before it can participate in AD FS communications. The following certificate types are associated with federation server:

  • Token-signing certificate

  • Service communication certificate

  • Secure Sockets Layer (SSL) certificate

  • Token-decryption certificate

These certificates are important to ensure secure access and communication between clients and federation servers. If an active certificate suddenly expires, communication will no longer take place. To avoid this, administrators should proactively identify certificates nearing expiry and renew the certificates. This is where the ADFS Certificates test helps.

This test auto-discovers all active certificates used by the target AD FS server and computes how long each active certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry.

Target of the test : An AD FS server

Agent deploying the test : An external agent

Outputs of the test : One set of results for each certificate used by the AD FS server

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port at which the AD FS server listens.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Days to expire

Indicates the number of days by which this certificate will expire.

Number

A high value is desired for this measure.

A very low value indicates that the certificate is about to expire very soon. You may want to consider renewing the certificate before this eventuality strikes.

The detailed diagnosis of the Days to expire measure reveals the name of subject and issuer of the certificate. In addition, administrators can also find out the thumbprint, the time stamp at which the certificate expires, the version of the certificate and the friendly name assigned to the certificate.

Detailed Diagnosis of Days to expire measure

Figure 1 : The detailed diagnosis revealed by the days to expire measure